The Biden Administration is pushing federal agencies to adopt a zero-trust security architecture to protect themselves and their data from “increasingly sophisticated and persistent threat campaigns,” according to a new strategy issued this week by the Office of Management and Budget (OMB).
According to the White House order, agencies have until the end of the government’s fiscal year 2024 to reach the target goals laid out in the strategy and based on a zero-trust model developed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The 29-page memorandum from Acting OBM Director Shalanda Young comes less than a year after President Biden issued his executive order calling for the improvement of the government’s cybersecurity posture in the wake of a series of attacks that impacted agencies and endangered critical infrastructure, including those on SolarWinds and Colonial Pipeline.
An initial draft of the plan was released in September to gather public input, including from the cybersecurity industry.
“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” Young wrote. “A transition to a ‘zero trust’ approach to security provides a defensible architecture for this new environment. … It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
Zero Trust Gains Momentum
Zero-trust architecture efforts have gained momentum in an IT environment that is increasingly distributed and mobile, located not only within corporate data centers but increasingly spread among mobile devices, the cloud and the edge.
Central to a zero-trust architecture is the premise that anything and anyone trying to access a network or infrastructure cannot be trusted and must be verified, and that they must be continuously verified throughout the transaction – and given access to no more than the resources they need. Microsegmentation has been one of the critical tools used to achieve zero trust, carving networks into small segments to limit risk.
Zero trust is a fast-growing security technology, with KBY Research analysts predicting the market will grow an average of 18.8 percent a year through 2026, when it will hit $54.6 billion.
Also read: How to Implement Microsegmentation
Support for Zero Trust
The government’s embrace of a zero-trust strategy was applauded by many in the cybersecurity field.
“Zero trust is becoming table stakes for organizations to protect themselves online,” John Engates, field CTO for Cloudflare, a web infrastructure and security company, told eSecurity Planet. The “directive from the White House signals that the federal government is taking cybersecurity threats seriously and is adopting a strategy that will better protect the nation’s cyber infrastructure, and by extension, United States national security. Zero trust shouldn’t be seen as just another product or industry buzzword – it’s a fundamental shift in security philosophy.”
Zero trust is a fundamental shift in security philosophy
The FIDO Alliance, an open industry alliance aimed at creating improved authentication technologies that reduce the reliance on passwords, also endorsed the government’s zero-trust strategy, with alliance Executive Director Andrew Shikiar in a statement zeroing in on the requirement for using phishing-resistant authentication tools to protect against phishing attacks, with some becoming sophisticated enough to get around such even multi-factor authentication (MFA) technologies.
Tim Erlin, vice president of strategy at cybersecurity vendor Tripwire, told eSecurity Planet that shifting the entire government to a zero-trust architecture is an important but difficult task. That said, the strategy falls short in a couple of crucial ways.
“It’s unfortunate that this memorandum doesn’t provide a clearer role for what NIST identifies as one of the key tenets for zero trust: integrity monitoring,” Erlin said. “Documents from both CISA and NIST include integrity monitoring as a key component of zero trust, but the OMB memorandum doesn’t include similar treatment.”
He also said that focusing so much on endpoint detection and response (EDR) – which is evolving into managed detection and response (MDR) and extended detection and response (XDR) – may create an over-reliance on a technology that is already morphing into something newer and more comprehensive.
Verification Over Trust
According to the OMB memorandum, the goal is to get to a point where employees have enterprise-managed accounts that give them access to the applications and data they need while protecting them from outside threats, where the devices they use are consistently tracked and monitored, and where agency systems are isolated from each other.
In addition, enterprise applications will be tested internally and externally and made available in a secure manner over the internet.
“A key tenet of a zero trust architecture is that no network is implicitly considered trusted – a principle that may be at odds with some agencies’ current approach to securing networks and associated systems,” Young wrote. “All traffic must be encrypted and authenticated as soon as practicable.”
The strategy will rely on five complementary pillars outlined in a zero-trust maturity model developed by CISA. The strategic goals include:
- enterprise-managed identities to access applications
- a complete inventory of devices authorized and used
- the ability to respond to and prevent incidents on those devices
- networks encrypting all DNS requests and HTTP traffic
- creating isolated environments
In addition, all applications will be treated as internet-connected and consistently tested, and agencies will use data categorization as well as leverage cloud security services to monitor access to sensitive data. There also will be enterprise-wide logging and information-sharing.
Fast Tracking Cybersecurity
Government agencies now have 30 days to designate a lead for implementing the strategy within their organization and 60 days to submit an implementation plan to OMB.
“While the concepts behind zero trust architectures are not new, the implications of shifting away from ‘trusted networks’ are new to most enterprises, including many agencies,” Young wrote. “This process will be a journey for the Federal Government, and there will be learning and adjustments along the way as agencies adapt to new practices and technologies.”
CISA Director Jen Easterly said in a statement that “as our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity. Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
Government officials pointed to attempts by state-sponsored and other hacking groups to exploit the flaw recently found in Log4j as the latest example of threat actors trying to leverage new ways to get in the networks and other infrastructure of targets. The vulnerability – dubbed Log4Shell – is a significant threat because the Java logging tool is free and widely distributed, exposing large numbers of servers and cloud services to a vulnerability that is easily exploitable. Threat intelligence experts have found numerous incidents of cybercriminal groups trying to find ways to exploit the flaw since knowledge of it became public in early December.
Read next: Top Vulnerability Management Tools for 2022